An Analysis of the “Destructive” Malware Behind FBI Warnings

TrendLabs engineers were recently able to obtain a malware sample of the “destructive malware” described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses last December 2. According to Reuters, the FBI issued a warning to businesses to remain vigilant against this new “destructive” malware in the wake of the recent Sony Pictures attack. As of this writing, the link between the Sony breach and the malware mentioned by the FBI has yet to be verified.

The FBI flash memo titled “#A-000044-mw” describes an overview of the malware behavior, which reportedly has the capability to override all data on hard drives of computers, including the master boot record, which prevents them from booting up.

Below is an analysis of our own findings:

Analysis of the BKDR_WIPALL Malware

Our detection for the malware detailed in the FBI report is BKDR_WIPALL. Below is a quick overview of the infection chain for this attack.

The main installer here is diskpartmg16.exe (detected as BKDR_WIPALL.A). BKDR_WIPALL.A’s overlay is encrypted with a set of user names and passwords as seen in the screenshot below:

These user names and passwords are found to be encrypted by XOR 0x67 in the overlay of the malware sample and are then used to log into the shared network. . Once logged in, the malware attempts to grant full access to everyone that will access the system root.

Figure 2. Code snippet of the malware logging into the network

The dropped net_var.dat contains a list of targeted hostnames:

Figure 3. Targeted host names

The next related malware is igfxtrayex.exe (detected as BKDR_WIPALL.B), which is dropped by BKDR_WIPALL.A. It sleeps for 10 minutes (or 600,000 milliseconds as seen below) before it carries out its actual malware routines:

Figure 4. BKDR_WIPALL.B (igfxtrayex.exe) sleeps for 10 minutes

Figure 5. Encrypted list of usernames and passwords also present in BKDR_WIPALL.B

Figure 6. Code snippet of the main routine of igfxtrayex.exe (BKDR_WIPALL.B)

This malware’s routines, aside from deleting users’ files, include stopping the Microsoft Exchange Information Store service. After it does this, the malware sleeps for another two hours. It then forces the system to reboot.

Figure 7. Code snippet of the force reboot

It also executes several copies of itself named taskhost{random 2 characters}.exe with the following parameters:

Figure 8. The malware deletes all the files (format *.*) in fixed and network drives

The malware components are encrypted and stored in the resource below:

Figure 9. BKDR_WIPALL.B malware components

Additionally, BKDR_WIPALL.B accesses the physical drive that it attempts to overwrite:

Figure 10. BKDR_WIPALL.B overwrites physical drives

We will be updating this post with our additional analysis of the WIPALL malware.

Analysis by Rhena Inocencio and Alvin Bacani

Update as of December 3, 2014, 5:30 PM PST

Upon analysis of the same WIPALL malware family, its variant BKDR_WIPALL.D drops BKDR_WIPALL.C, which in turn, drops the file walls.bmp in the Windows directory. The .BMP file is as pictured below:

Figure 11. Dropped wallpaper

This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase “hacked by #GOP.” Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures.

Note that BKDR_WIPALL.C is also the dropped named as igfxtrayex.exe in the same directory of BKDR_WIPALL.D.

We will update this blog entry for more developments.

Additional analysis by Joie Salvio

Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.